Cyberskepticism:  The  Mind’s  Firewall 

By  Ttmolhv Tfumu' 

Ed%U>rial  <Vr.  Thtunu*  exuminei  varhiuf  formi  of  computer  uettYork-refafed  deceptum,  mclud'mp  techntcol  uuJ 

s/Kial  expi/Htali/m^  lie  exomiuet  hotv  Jecepthe  pracficey  can  be  eoiUy  cimceuled  Hiilkiu  exi%tiug  cuttural  and  uetHork 
comlruct*.  Finally,  he  adyhei  adoption  of  a  proper  menial  frameHi>rk  to  help  defeat  ihii  cla%f  of  cyber  lhreat^~ 


Introduction 

In  2004,  compuier  t)»ckeft  in  IM  Netherlands  developed  a 
v>ay  for  unsuspecting  computer  u&erc  to  doxvnlood  a  virus. 
Their  vessel  fur  doing  so  u>os  a  photo  of  Russian  tennis  star 
Anna  Knumikova,  a  heart  throb  to  many  young  male  tennis 
enthusiasts.  As  SearchlFrod^mf  Security  reported' 

The  Anna  KourniAoYa  VBS  SSTcomputer  virus.  t"JormuHy 
known}  at  "Anna.  "  /.t  a  ural  •Yorm  that  user  H.^ual  Ba'it  to 
injn'l  ffiiidowi  .systems  when  a  t/.rer  uffwiliingly  ope}}s  an 
e'lnaif  n>Ae  with  an  atiachmeni  that  appears  to  he  a  graphic 
image  ofRu.Z'  tan  tennis  t  tar  Anna  Koumikova  How>e\er.  when 
the  pie  is  openeJ.  a  ctandetUne  code  extension  enahtes  the 
worm  to  copy  itself  to  the  IKnthrwi  director^'  and  then  send  the 
file  at  an  attachment  to  all  ackJre'set  listed  tn  your  MK'osoft 
Outlook  e~matl  add'e'i\  book. 

Such  cyber  deception  is,  unfortunately,  quite  common. 
Episodes  involving  cyber  deception  occur  daily  and,  in  some 
of  the  worst  cases,  have  resulted  in  suicides,  identity  thefl, 
financial  scandals,  assisL<i  to  pedophiles,  and  ''cybercide" 
(madveitently  taking  down  your  own  network  by  downloading 
and  propagating  a  virus).  Most  recently  hackers  have  tried  to 
penetrate  the  Pennsylvania  Lottery.  Consider  the  ramifications 
and  consequences  if  they  are  success  fill  m  this  endeavor! 

The  context  that  ignites  cyber  deception  is  the  similarity 
between  reality  and  digitally  generated  forms  of  communication 
(text,  video,  etc.)  This  confrontation  was  fully  brought  into 
focus  in  the  1963  film  ti'ar  Games.  A  computer  named  Joshua, 
while  playing  a  game  initiated  by  young  computer  wi2ard 
David  Lightman  (actor  Matthew  Broderick),  taJces  control  of 
all  US  nuclear  weapons  and  begins  a  count  down  to  launch 
them  and  sun  World  War  III.  Lightman  asks  Joshua  if  he  is 
playing  the  game  or  playi  ng  for  real  Joshua  answers:  What’s 
the  difTerenCB?” 

Cyber  deception  utilizes  the  similanty  between  reality  and 
digital  communication  to  exploit  cognitive  biases  in  human 
decision-making.  These  biases  prey  on  a  human’s  proclivity 
to  accept  rewards,  romance,  chanty,  or  other  feelings  of 
sensitivity  and  emotion;  or  m  some  cases  exploit  habits  or 
environmental  influences  (gambling,  participation  in  scams, 
etc  ).  Since  real  issues  and  digiul  issues  oflen  coincide, 
humans  are  easily  enticed  into  believing  that  whet  is  false  is 
real,  and  vice  versa 

This  article  explains  the  context  within  which  cyber 
deception  has  fermented,  it  then  offers  several  examples  of  the 
forms  chat  cyber  deception  has  taken  m  recent  years.  The  study 
ofcyber  deception  has  obvious  value  fora  military  audience — it 
IS  a  key  element  of  ID  and  OPSEC  In  fact,  some  of  the  best 
OPSEC  advice  available  is  to  ’1>e  a  cyberskeptic." 


Social  Engmaaririg 

Information  security  expert 
Mark  Edmead,  writing  about 
famed  computer  hacker  Kevin 
Mitnick  (who  exploited  human 
vulnerabilities  to  the  maximum 
extent  possible),  noted: 

According  to  Mitntck,  all 
of  the  prewalls  and  encryption 
m  the  world  will  never  slop 
a  gtfred  social  engineer  from 
!  tfimg  a  corporate  database  or  g 
an  trate  employee  from  ci  ashing  Social  Engineer 

a  tys  tern  If  an  attacker  wanit  {Matthew  Griffiths, 
to  break  tnfo  a  system,  the  mo  s  t  mkipedia.org) 

effec'live  approach  is  to  try  to 

ctplott  the  wxakest  link — not  operating  systencs.  prewulti  or 
enc  ryption  algorithm  s  — hut  people 

Pitting  one’s  cognitive  skills  and  beliefs  against  a  person 
or  system  to  access  a  product,  a  password,  or  some  other 
type  of  information  is  a  process  known  as  social  engineering. 
Wikipedia  defines  social  engineering  as: 

“A  collection  of  lechnicfues  used  to  manipulate  people 
into  performing  actions  or  divtdging  csmpdenlial  information 
White  .simi/ai  to  a  cimpdence  fnck  or  .simple  fraud,  the  term 
typically  applies  to  trickery  for  information  gathering  or 
computer  system  access  and  m  most  cases  the  attacker  never 


comes  face~li>-face  Mrrt  the  victim." 

Social  engineering  tries  to  fool  decision  makers,  and  is 
really  nothing  more  than  an  updated  term  for  straugems  used 
by  the  Chinese  thousands  of  years  ago  for  similar  purposes. 
There  are  many  social  engineering  techniques,  several  of  which 
are  highlighted  below; 

<  Pretexting— the  act  of  creating  and  using  an  invented 
scenario  (the  pretext)  to  persuade  a  target  to  release 
information  or  perform  an  action  and  is  typically  done  over 
the  telephone 

<  Phishing — a  technique  of  fraudulently  obtaining 
private  information,  typically  by  sending  an  e-mail  that  looks 
legitimate. 

<  IVR/phone  phishing— technique  using  an  Interactive 
Miice  Response  (iVR)  system  to  recreate  a  legitimate  sounding 
copy  ofa  bank  or  other  institution's  IVR  system 

<  Trojan  horse/gimmes — technique  taking  advantage  ofa 
victims'  curiosity  or  greed  to  deliver  malware. 

•  Road  apple — a  real-world  variation  of  a  Trojan  IIotm 
using  physical  media  and  relying  on  a  victim's  curiosity 
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(leaving  a  CD  or  USB  fla^h  dnve  in  a  place  where  ii  will  be 
found) 

*  Quid  pro  quo — technique  involving  a  random  caller 
who  &caie<  that  he  iv  from  technical  vuppon  in  an  aiiempi  to 
find  someone  with  a  problem  and  then  guide  them  through 
commands  givmg  the  caller  access  or  the  abilit)'  to  launch 
malware. 

Cyber  deception  exploits  in  electronic  fashion  older 
deception  techniques  known  as  “confidence  tricks.’'  These  are 
the  con  games  or  scams  that  try  to  swindle  a  person  after  gaining 
their  confidence.  Confidence  tricks  enable  cyber  deception 
successes  in  get-nch-quick  schemes,  romance,  extortion, 
gambling,  false  injuiy  or  false  reward,  and  chanty  tricks;  and 
undercover  cop  scams,  among  others 

A  Partild  Playing  Field 

The  number  of  cybersites  that  consumers  depend 
upon  daily  has  grown  considerably  over  the  past  several 
years.  A  tiny  faction  of  the  digital 
playing  field  includes:  e-mail;  ■ 

MupQue.'l:  Gwg/e;  FaieBin'k:  *  ] 

Flivkr.  MySpuce.  phonehook:  ] 

BilTorrenl.  YouTube', 

forums;  chat  rooms:  dating;  I  iWl 

Croig*  Lis/;  donate;  blog/vlog;  P  ■ 

video  games;  e-lnvitaiions;  e-cards;  I 

weather;  text  messaging;  financial 
planning;  persona!  websites;  picture 

sharing;  airline  travel;  banking;  test  * 

preparation:  college  classes:  and  ' 
cellphones  '  '  . 

Within  these  cyber  circles,  •  - 

especially  when  FaceBook  and 

MySpace  were  startups,  common  Ony  SOUtCe 

Ideological  thought  or  interests  fru.ifyvorfhy,  can 
serv  ed  as  strong  bomis.  Virtual  tnisi 

accumulates  among  individuals  OCC^ 

or  groups  even  though  an  actual 

“meetng"  has  never  occurred.  Cyber  tribes  form  Unforrunately. 
as  vinual  trust  grows  so  doesviituaJ  and  cognitive  vulnerability. 
For  example,  someone  posing  as  an  adherent  to  a  cause  can 
enter  a  group  and  gather  Informatiorw  manipulate  the  group’s 
way  of  thinking,  or  embarrass  the  group  by  pretending  to  be  a 
group  member  but  publicly  cniicizlng  its  cause.  This  can  fool 
readers  ofa  website  Into  believing  that  group  members  are  not 
cohesive,  among  other  consequences 

Virtual  size  is  another  factor  influencing  cognitive 
deception.  On  the  Web,  it  is  very  easy  for  one  ora  few  people 
to  appear  to  represent  thousands  simply  through  the  number  of 
messages  produced.  Virtual  quantity,  as  the  saying  goes,  has 
a  virtual  quality  (in  this  case  sheer  size  and  thus  influence)  all 
ns  own  that  persuades  via  peer  pressure  or  some  other  uniting 
factor. 

While  the  mam  focus  of  cyber  deception  is  to  manipulate 
a  person’s  cognitive  perceptions,  soflware  can  be  manipulated 
as  wel  I  (since  humans  write  it ' ).  Software  is  the  unsuspecting 


(US  Navy) 

any  source,  no  matter  how 
trustworthy,  can  turn  into  a  cyber 
deceiver.  ” 


agent  that  spreads  false,  selective,  or  viral  material.  Web 
crawlers  are  one  of  the  most  obvious  tools  that  can  produce 
cyber  deceptive  maienaJ  For  example,  they  can  determine 
website  content.  Depending  on  how  an  algorithm  is  written,  a 
Web  Site  will  gather  some  data  and  discard  others  An  Al  Qaeda 
website  may  eliminate  all  Information  about  Christianity,  thus 
deceiving  subscnbers  about  both  the  nature  and  popularity  of 
the  religion  In  this  case  it  can  be  both  false  and  selective 
In  another  instance,  Web  crawlers  are  oflen  designed  to 
match  advertising  to  tit  the  content  of  the  website.  Some  of 
those  advertisements  could  be  illusions  of  grandeur  designed 
only  to  collect  money  from  unsuspecting  readers  I^chines 
and  software  thus  begin  to  control  people  through  monitoring 
and  manipulation  The  cyber  deception  malady  is  present  in 
both  people  and  software. 

While  criminals  and  terrorists  use  cyber  deception  to  col  lect 
data,  cyber  deception  can  also  be  used  by  website  moderators 
to  provide  false  information  to  the  consumers  visiting  the 

_ site  fn  fact,  cyber  deception  is  one 

of  the  most  common  ways  for  law 
enforcement  personnel  to  catch 
pedophiles 

Nicholas  Carr,  former 
I  executive  editor  of  the  Haivard 
^  Buunei.\  Review,  believes  that 
artificial  intelligence  experts  have 
I  not  only  succeeded  in  rewiring 
^  I  Qyj  computers  but  humans  as  well 

*  ji  From  his  point  of  view,  people  are 

I  beginning  to  process  information 
I  as  if  they  were  nodes  with  regard 
to  speed  of  locating  and  reading 
data.  If  we  only  tend  to  go  to 
no  matter  how  certain  websites,  then  much  like 
'urn  into  a  cyber  Web  crawlers  we  only  access  cenain 

,,  ^  'yf**8  of  information.  This  allows 

machines  to  transfer  their  way  of 
thinking  into  humans — ifihe  latter 
don't  take  the  time  to  process  and  analyze  the  information 
Ofcourse,  there  are  a  plethora  of  cyber  deception  examples 
from  which  to  choose.  Even  a  small  selection  demonstrates  ihe 
Widespread  use  of  cyber  deception  They  also  demonstrate 
any  source,  no  mailer  how  trustwonhy,  can  turn  into  a  cyber 
deceiver,  sometimes  without  the  source’s  knowledge. 

Cybar  Oacaption  Prom  art  Unlikely  and  Trusted 
Source 

One  example  of  cyber  deception  from  a  trusted  source 
involved  the  .San  Fra"ciMi>  Chn>nn:le.  The  paper’s  website. 
SFGateeom,  posted  comments  from  readers.  The  paper’s 
moderators  found  a  way  to  ‘neuter’  what  they  considered 
problem  comments.  The  moderators  were  able  to  do  so  without 
making  it  appear  that  a  comment  had  been  eliminated  due  to 
ideological  concerns.  Their  methodology  went  as  follows. 
When  a  problem  comment  appeared,  the  moderators  found  a 
cyber  or  digital  way  to  eliminate  the  comment  from  the  Web 
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page  for  all  vieu>ers  except  fram  the  person  who  submiued  il 
That  way,  the  person  submjiting  (he  cotnmeni  was  saiJsHeditut 
his  other  opinion  had  been  expressed  and  was  siill  ''out  there” 
on  (he  Web  The  moderator's  deceptjon  was  exposed  when  a 
person  who  had  submitted  a  "problem”  comment  died  to  view 
his  cnnuneni  ftom  a  computer  other  itun  hisown  (be  wanted  to 
show  it  to  a  ftiend)  Ilis  comment  was  not  there.  He  returned 
home  and  found  the  comment  still  on  his  personal  computer, 
lie  then  wrote  to  the  Ckrtjnicfe  and  they  admitted  the  cyber 
deception.  This  group  carried  out  dual  cyber  deception:  the 
moderators  fooled  both  their  public  into  dunking  there  wasn’t 
any  criucism  of  the  type  leveled  by  the  individual,  and  the 
individual  was  cyber  deceived  into  thinking  his  posting  was 
still  online. 

Another  case  of  cyber  deception  was  based  on  comments 
from  entrepreneur  Dan  Ackerman  Greenberg.  He  described 
some  secret  strategies  behind  the  creation  of  viral  videos— 
those  Internet  videos  (hat  really  take  off  and  become  popular 
"must  sees"  such  as  Soulja  Boy,  Miss  Teen  South  Carolina,  and 
SmimolTsTea  Pansy  music  video.  In  essence,  his  strategies  to 
make  videos  viral  were  cyber  deception  methods.  For  instance, 
he  recommended  paying  people  who  run  relevant  blogs  to 
post  embedded  videos.  As  a  result,  what  "seems’'  popular  has 
actually  been  pre-HnanceJ  through  blog  masters,  (hus  cyber 
deceiving  the  audience  ("this  video  is  on  the  most  watched  list, 
It  mi£(  be  good”).  Greenburg  would  also  create  huge  friend 
lists  on  F'tfcrbuoA’ and  then  send  all  ofthem  a  video.  He  would 
ask  that  his  fnends  e-mail  the  video  to  (heir  friends,  or  at  least 
share  it  on  Faceho»k.  He  would  also  change  the  name  of  the 
video  so  (hat  it  would  appear  new,  though  people  were  simply 
visiting  (he  same  site.  At  times  he  would  have  conversations 
with  himself  recommending  (he  video  to  others,  or  have 
others  in  his  oflce  post  comments  about  the  video  and  get  a 
heated  conversation  going  about  (he  video  Thus  his  virtual 
conversations  and  other  methods  acted  to  cyber  deceive  many 
people,  causing  them  to  either  watch  the  video  or  go  find  it, 
because  it  appeared  popular  Greenberg  concludes  by  noting 
that  "true  virality  lakes  senous  creativity"  Virtual  creativity  is 
thus  another  cyber  deception  methodology  for  10  professionals 
to  explore. 

Cyber  Linking  the  Virtuel  Worid  With  the  Real 
Worid  lEspecially  Romance) 

(n  January  of  2007,  storms  were  battering  Europe  and  more 
than  230  people  had  died  On  the  Web  there  appeared  an  article 
called  "Full  Story.exe.'’  While  providing  more  information 
on  the  storm,  the  story  provided  a  damaging  storm  of  another 
type  The  file,  of  course,  contained  a  v  irus  dubbed  the  "Storm 
Worm."  As  Ttme  magaaine  reported' 

the  virus  is  a  marvet  ofM>cta/  a’hJ  "it  it  to 

viruses  nirnt  Michelo’ifce/o  hus  to  cetlinfii  "  Us  suh/ect  /tut' 
change'  C'i>ii'tanttv.  it  preys  on  shock,  ouiruge.  pivrience.  und 
romunc  e  It  mutate'  qutckly.  c  hanging  j/.t.s  tze  and  tactics  often 
to  avoid  viiw  ft/fers.  U  exploits  hlogs  and  hulleltn  hoards  It 
cuurarttT  lutks  to  fake  fou  Tube  page'  nhich  crash  your  hnnvser. 


Hare  importantly  tf  ptoviJes  others  with  access  atkJ  control 
over  your  computer 

Real-world  romance  technit^ues  on  the  (ntemei  have 
produced  some  very  innovative  cyber  deception  techniques. 
S^lenune  cards  sent  electronically  are  one  technique  designed 
to  enhance  romance.  In  2006  electronic  Valentine  cards  were 
sent  to  unsuspecting  people  who  opened  them  for  various 
reasons  (do  (  have  a  secret  lover?).  Some  of  (he  messages 
arrived  "having  been  forwarded  by  or  appearing  to  have 
been  forwarded  by  people  known  by  the  recipient.’'  While 
piquing  one's  curiosity,  it  also  tricked  people  into  infecting 
their  computers. 

Recently,  (he  Russian  language  website  CyberLoverru 
wasidentilied  as  capable  of  holding  "fully  automated  dinatioi» 
conversations  with  users  of  chat-rooms  and  dating  sites,  to 
persuade  them  to  share  their  identity  or  visit  websites  with 
malicious  content "  An  English  version  of  (he  site  has  not  yet 
appeared.  The  site  can  establish  a  relationship  with  up  to  ten 
people  in  thmy  minutes,  and  purpoitedly  its  victims  cannot  tell 
whether  there  is  a  human  or  a  computer  generated  response  on 
(he  other  end  Sergei  Shevchenko,  a  PC  Tools  senior  malware 
analyst,  says  the  site  "monitors  (he  victims'  Internet  browser 
activity,  automatically  recogni2es  and  tills  in  Helds  m  the 
Web  pages,  generates  keystrokes  and  mouse  clicks,  and  posts 
messages,  URLs,  hies,  and  photos '’  Clearly  (hts  is  a  marvel 
of  current  cyber  social  engineering  and  deception  skills 

Cytwr  Deceptive  Visitors 

Important  websites,  such  as  those  run  by  NASA,  (he  US 
Army,  hospitals,  or  the  UK's  Ministry  of  Defense,  are  visited 
thousands  of  times  each  month  by  people  from  all  over  the 
globe.  Not  all  visits  are  innocuous,  however.  Several  visitors 
are  most  likely  intended  or  designed  to  simply  gather  data 
Some  may  also  use  annnymiaers  to  hide  their  (rue  identities 
The  UK's  Counter  Terrorism  Science  and  Technology  website 
recently  posted  "who"  had  visited  its  website,  to  include 
potential  suppliers.  Infonnatian  of  this  sort  can  be  "precisely 
the  kind  of  fodder  gathered  in  foot  printing  exercises,  in  which 
attackers  learn  as  much  as  possible  about  sites  they  intend  to 
penetrate '’ 

Cyber  Deceptive  RPIO  Tags 

A  radio- frequency  identification  (RRD]  tag  is  a  chip 
With  imbedded  data.  When  (he  teg  “hears"  a  particular  radio 
signal,  it  broadcasts  its  number,  thus  becoming  "located '’  Such 
chips  are  implanted  in  dogs,  books,  and  other  articles  to  Hnd 
them  when  they  are  lost  However,  if  the  tag  is  removed  and 
placed  in  another  receptacle,  (hen  those  seeking  the  chip  will 
be  cyber  deceived  into  running  afler  another  source.  You  may 
be  searching  for  a  German  Shepherd,  but  may  instead  locate 
a  horse,  sheep  nr  snake  depending  on  who  hosts  the  chip.  A 
more  sophisticated  use  of  the  RFID  chip  would  be  stealing 
information  from  passports  or  security  cards,  which  also  send 
out  asignal.  Someone  walking  near  you  witha  reader  could  get 
your  passport  or  security  card  infurmauon  Such  information 
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could  be  pieced  in  enoiher  chip  or  just  the  mfomuiion  itself 
could  be  used  to  conlirm  someone’s  identity.  Some  people 
have  begun  wrapping  their  pas^ons  in  metal  foil  to  make  their 
information  harder  for  RFID  readers  to  access. 

Cyber  Deception  to  Breach  Firewalls 

The  November  2007  issue  of  Wrerf  magazine  provided 
a  list  of  methods  to  breach  information  security.  First,  it  was 
recommended  to  go  ‘in  disguise.'  Using  this  cyber  deception 
method  involves  using  proxy  servers  and  other  software  to  mask 
location  and  identity  Not  long  ago  Foreign  Polky  magazine 
noted  that  a  system  known  as  Tnr  was  "a  dovp'nloadable  software 
that  routes  an  Internet  surfing  session  through  three  proxy 
servers  randomly  chosen  from  a  network  of  more  than  1,000 
servers  run  by  volunteers  worldwide  ”  This  cyber  deception 
method  frustrates  law  enforcement  agencies  from  finding  the 
source  ofacnminal  or  insurgent  message.  Keystroke  tracking 
software  installed  on  keyboards  allows  for  cyber  monitonng 
in  cybercafis  to  keep  track  of  messages  being  sent  out  w  ithnut 
the  user's  knowledge.  Of  course  cyber  proxies  could  be  used 
against  any  target.  Other  more  straightforward  methods  suggest 
common  sense  ideas,  not  nearly  as  sophisticated  These  include 
scrambling  messages  using  encryption,  posting  on  sites  rarely 
monitored,  searching  overseas  versions  ofa  website,  avoiding 
controversial  terms,  and  using  Skype  (internet  protocol 
telephone). 

Cybar  Oacaptiva  Advertising 

Some  eighteen  months  ago.  ran  online  banner  ads 

infected  with  adware  This  allowed  malware  to  surreptitiously 
track  infected  users'  Internet  usage  while  bombarding  them 
with  pop-up  ads  In  a  similar  episode,  users  were  invited  to 
download  a  Sudoku  game  to  pass  the  time.  Attached  to  the 
Sudoku  game  advertisement  was  adware  providing  the  same 
type  of  cyber  tracking. 

Cybsr  Dscaption  Tachniquss  Of  a  Hackar 

Noted  social  engineer  Kevin  Mitnick,  who  was  arrested 
and  ser^'ed  time  in  prison  for  hacking  into  computers,  wrote 
(he  beat  book  on  cyber  deception  avai  lable  on  the  market  today. 
Titled  The  Art  of  Deception,  he  describes  how  he  enticed  people 
into  providing  passwords  and  codes  through  social  engineering 
techniques 

Mitnick  noted  that  firewalls  and  biodetection  systems 
are  great  ways  to  prevent  hacking,  but  that  training  people  to 
spot  social  engineering  techniques  is  just  as  important.  For 
example,  one  way  to  get  information  on  cyber  access  codes 
IS  to  call  an  unsuspecting  person  at  a  company  and  pose  as  an 
associate  This  initial  discus.sion  will  focus  on  troubleshooting 
a  nonexistent  network  problem  for  the  unsuspecting  person 
After  pretending  to  have  fixed  the  problem,  Mitnick  says  the 
"associate'’ would  ask  fora  favor,  playing  on  a  human  tendency 
to  reciprocate  for  a  good  deed.  I  le  notes  this  “causes  people 
to  take  a  mental  shortcut,  based  not  on  the  request,  but  the 
favor” 

I<0SPHERE 
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Cybar  Phishing 


No  discussion  of  cyber  deception  would  be  complete 
Without  a  discussion  of  phishing  techniques.  According  to 
Wkjpn/w,  phishing  IS  an  anempt  to  criminallyand  fraudulendy 
acquire  sensitive  information,  such  as  usernames,  passwords 
and  credit  card  details,  by  masquerading  as  a  trustworthy  entity 
m  an  electronic  communication.  Phishing  oflen  directs  users 
to  enter  details  at  a  website  Current  attempts  to  deal  with 
the  growing  number  of  reported  phishing  incidents  include 
legislation,  user  training,  public  awareness,  and  technical 
measures. 

Among  the  thousands  of  phishing  scenarios,  several 
come  to  mind.  One  was  the  attempt  to  access  personnel 
databases  on  people  who  had  visited  the  Oak  Ridge  National 
Laboratory,  starting  from  1990  Staff  members  received  hoax 
emails  that  at  first  glance  appeared  legitimate.  Such  messages 
gave  information  to  members  of  a  scientific  conference  and 
another  pretended  to  have  information  about  a  Federal  Trade 
Commission  complaint. 


Cyber  Deception  end  Hoaxbustere 


In  an  odd  way,  explicit  warnings  about  viruses,  and  our 
concern  about  downloading  a  vims  inadvertently,  have  helped 
spawn  a  number  of  Internet  vims  hoaxes.  Ahoax  usesahook,  a 
threat,  or  a  request  to  get  someone  to  believe  in  a  fake  message 
or  chain  letter  and  send  it  on  to  someone  else  or  take  some 
sort  of  action  Hoaxes  adopt  many  of  the  principles  associated 
with  social  engineering  'The  website  http;//hoaxbusters.ciac. 
org  has  listed  a  series  of  hoax  categories:  malicious  code 
warnings;  giveaways,  chain  leners;  urban  myths;  sympathy 
hoaxes;  threats;  inconsequential  warnings:  scams;  scare  chain 
letter;  jokes;  true  legends;  hacked  histoiy,  and  stones  with 
unknown  ori^ns. 

Cyber  Deception  By  Insurgents 

Insurgents  now  plan,  recruit,  leach,  and  finance  on  the 
Internet  Further,  they  deceive  through  a  variety  of  techniques 
that  military  planners  must  consider.  A  member  of  the  US  Army 
Foreign  Military  Studies  Oftice  l  FMSO)  accidently  discovered 
one  of  the  most  interesting  techniques  It  involved  a  cyber 
deception  strategy  known  as  “hide  in  plain  site.” 
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The  FMSO  analyst  was  looking  overawdisiie  focused  on 
Arab  enienainmeni.  By  chance,  his  hand  slipped  on  the  mouse 
and  pulled  the  cursor  lo  ihe  boitom  of  page  two.  There,  oui  of 
Site  unless  you  knew  it  was  ihere,  was  a  counter  mechanism 
counting  backwards  to  aero.  Then  the  counter  disappeared 
Curious,  the  analyst  got  out  of  the  site  and  went  back  in, 
immediately  scrolling  to  the  bottom  of  page  two.  Again  he 
saw  the  counter  before  it  disappeared  Once  again,  the  analyst 
exited  Ihe  website  and  reentered,  but  tbts  time  he  clicked 
on  Ihe  counter.  The  link  look  him  directly  to  an  extremist 
insurgent  website.  This  is  cyber  deception  of  a  siill  different 
type,  m  which  the  access  point  ‘cyben'anished*  after  a  certain 
lime  period 

Cyber  Address  Book  Harvesting 

Some  programs  are  specially  designed  to  steal  the  computer 
address  book  of,  let's  say.  Mister  X.  When  this  occurs,  the 
address  “harvester"  then  uses  the  address  book  to  send  out  spam 
or  viruses  with  the  added  line  “this  email  was  sent  to  you  on 
behalf  of  person  X,“ — the  one  whose  address  book  was  stolen. 
Since  the  information  was  sent  to  you  on  behalf  of  someone 
you  already  know  and  regularly  correspond  (X),  more  often 
than  not  the  intended  target  will  open  the  email. 

Cyb«r  Oec«ption  Via  Satallita 

The  Russian  military  has  explored  the  use  of  cyber 
deception's  adaptation  lo  a  concept  known  as  'reflexive 
control’  (similar,  but  not  identical,  to  the  (JS  term  'perception 
management' )  Reflexive  control  ( RC)  consists  of  transmitting 
motives  and  grounds  from  the  controlling  entity  to  the 
controlled  system  that  stimulate  a  desired  decision  The  goal 
ofRC  IS  to  prompt  ihe  enemy  to  make  a  decision  unfavorable 
to  him.  Naturally,  one  must  already  have  a  good  idea  about 
how  the  enemy  thinks  to  make  such  attempts  successful. 

Russian  theorist  Colonel  Sei^i  Leonenko  initially  thought 
the  use  of  computers  would  hinder  the  use  ofreRexive  control 
since  computers  would  make  it  easier  lo  process  data  and 
calculate  options.  A  computer-aided  opponent  could  more 
easily  “see  through"  a  reflexive  control  measure  by  an 


a  strong  sense  of  cyber  skepticism  Skepticism  should  not  be 
limited  to  computer  operators;  a  healthy  dose  should  be  present 
in  Blackberry,  iPhone,  cell  phone,  and  other  digital  device  users. 
Without  skepticism,  users  and  operators  are  almost  certainly 
doomed  to  exploitation  by  electrons  somewhere,  sometime. 
The  article  you  are  now  reading  could  also  have  elements  of 
cyber  deception,  since  much  ot  the  information  was  taken  from 
the  Internet  without  a  sure  way  of  confirming  the  material’s 
authenticity! 

Cyber  deception  has  practically  evolved  into  an  art  form 
U  IS  creative,  invasive,  and,  as  Kevin  Mitnick  noted,  strongly 
dependent  on  social  engineering  techniques.  Before  the 
development  of  the  personal  computer,  people  were  fooled  by 
conlidence  tracks  Butthese  same  people  were  never  exposed  to 
the  onslaught  ofeyher  deception  attempts,  nor  the  consequences 
of  successful  attempts  (the  emptying  of  your  bank  account  is 
but  one  possible  result)  that  people  experience  today 

The  number  of  terms  involved  with  cyber  decepbon  causes 
confusion  among  computer  users  who  are  not  dedicated  to 
the  study  of  information  security  issues.  This  also  increases 
a  computer  user's  susceptibility  to  attack.  For  example,  a 
recent  BBC  repon  listed  several  cyber  deception  techniques 
other  than  those  listed  above.  The  average  home  computer 
user  may  not  totally  understand  the  effects  of  the  following: 
pharmmg  (^auiisters  redirect  net  users  from  legitimate  to  fake 
sites),  rogue  dialing  i  software  that  installs  itself  on  computers 
and  changes  settings  to  dial  a  premium  rate  number  instead  of 
usual  dialup  accounts);  spyware  (small  programs  that  secretly 
monitor  sites  visited);  keyloggi  ng  ( so  Rware/hardware  to  track 
keystrokes  on  a  computer  to  gather  passwords  and  credit 
card  numbers):  and  other  terms  related  to  deceptive  scams  on 
personal  computers 

The  bottom  line:  be  a  cyberskeptic  Only  in  this  way 
can  we  erect  an  effective  cognitive  defense  against  the  many 
forms  of  cyber  deception.  The  mind  has  no  firewall— except 
skepticism.  ^ 


opposing  force,  due  to  greater  speed  and  accuracy  in 
processing  information  Me  later  surmised,  however, 
that  computer  use  may  actually  improve  the  chances  for 
successful  reflexive  control,  since  a  computer  lacks  a 
human  being’s  the  intuitive  reasoning.  Leonenko  suggests 
acting  against  technical  reconnaissance  assets,  especially 
weapons  guidance  systems,  which  are  impassive  in 
assessing  whet  is  occurring  and  do  not  perceive  to  what  a 
person  reacts.  He  believes  we  live  in  a  frightening  time  if, 
in  fact,  decisions  are  in  the  hands  of  machines  “incapable 
of  assessing  what  is  occurring,  and  do  not  perceive  whet 
a  person  reacts  to '’ 

Conclusions 

The  major  conclusion  one  can  draw  from  this 
explanation  is  that  in  the  cyber  age,  people  have  to  develop 


Tim  Thomas,  LTC,  US  Army,  Retired, 
served  as  a  Soviei'Russian  Foreign  Area  Officer. 

I  Its  assignments  include  brigade  S-2  and  company 
commander  in  the  82d  Airborne  Division,  and  the 
Army  Russian  Institute.  He  has  done  extensive 
res«9rc4i  and  publishing  in  the  areas  of  peacekeeping, 
lO,  and  PSYOP  I  le  currently  serves  as  a  Senior 
Analyst  m  Ihe  Foreign  Military  Studies  Office,  Ft 
Leavenworth  1  le  holds  a  BS  from  ihe  US  Mi  liiary 
Academy  at  West  Point,  and  Master  of  Ans  from 

use. 


Spririg  2008 


